 
  

 






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 
<html>

<!-- Mirrored from www.javapractices.com/topic/TopicAction.do;jsessionid=4FCCB481C702D708A7360133D128E359?Id=212 by HTTrack Website Copier/3.x [XR&CO'2010], Sun, 12 Jun 2011 17:27:28 GMT -->
<!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8"><!-- /Added by HTTrack -->
<head>
 <title>
  Java Practices -> Prefer PreparedStatement
 </title>
 <link rel="stylesheet" type="text/css" href="../stylesheet8.css" media="all">
 
 <link rel="shortcut icon" href='../images/favicon.ico' type="image/vnd.microsoft.icon">
 <meta name="description" content="Concise presentations of java programming practices, tasks, and conventions, amply illustrated with syntax highlighted code examples.">
 
 <meta name='keywords' content='java,java programming,java practices,java idiom,java style,java design patterns,java coding conventions,'>
 
 
</head>
 
<body>


<div class='menu-bar'>
 
  <a href='../home/HomeAction.html' title='Table of Contents'>Home</a> |
  <a href='../vote/VoteSummaryAction-2.html' title='View Poll Results'>Poll</a> |
   
  <A href='../feedback/FeedbackAction451f-2.html?Operation=Show' title='Send Your Feedback'>Wiki</a> |
  <b><a href='../source/SourceAction-2.html' title='Grab Source Code'>Source Code</a></b><IMG class='no-margin' SRC="../images/goldstar.gif" ALT=""> |

  <a href='http://www.web4j.com/Java_Web_Application_Framework_Overview.jsp?From=1' title='Free Download - Java Web Application Framework'><b>WEB4J</b></a> |
  
  <a href='http://www.date4j.net/' title='Replacement for java.util.Date'><b>DATE4J</b></a> |

   <a href='../references/ReferencesAction-2.html' title='References'>Links</a>
   
  <form action='http://www.javapractices.com/search/SearchAction.do' method='get' class='search-form'>
   <input type='text' name='SearchTerms' value="" size=12 maxlength=50 class='search'>
   <input type='submit' value="Search">
  </form>
 
</div>

<P>



  

 






<p class="display-messages">

 

 

</p>


<div class="main-layout">
 
   

 




<div class='page-title'>Prefer PreparedStatement</div>

<div class='main-body'>
 
<br>
<tt><a href="http://java.sun.com/javase/6/docs/api/java/sql/PreparedStatement.html">PreparedStatement</a></tt> 
is usually preferred over 
<tt><a href="http://java.sun.com/javase/6/docs/api/java/sql/Statement.html">Statement</a></tt> 
for these reasons :
<ul>
<li>in general, it's more secure. When a <tt>Statement</tt> is constructed dynamically from 
user input, it's vulnerable to <a href="http://en.wikipedia.org/wiki/SQL_injection">SQL injection attacks</a>.
<tt>PreparedStatement</tt> is less vulnerable in this way (see below).
<li>there is usually no need to worry about escaping special characters.
<li>if repeated compilation is avoided, its performance is usually better.
</ul>

<P>In general, it seems safest to use a <tt>Statement</tt> only when the SQL is of fixed, known form, with no parameters.

<P><b>SQL Injection</b><br>
If <tt>PreparedStatement</tt> is used <i>correctly</i>, then it does indeed provide complete protection against SQL Injection attacks.
However, if it's used <i>incorrectly</i>, then it's still wide open to such attacks. 

<P>The SQL statement passed to <tt>PreparedStatment</tt> is simply an unvalidated String, in the sense that there's no checking for '?' values.
If the String has been constructed using '?' placeholders for all data, then it has indeed been constructed correctly. 

<P>But <tt>PreparedStatement</tt> has no built-in mechanism to prevent the inexperienced or inattentive programmer from passing a String which, by mistake, does <i>not</i> always use a '?' placeholder where it should. 
Such Strings are wide open to SQL Injection attacks.

<br>
<br>

</div>




<div class='topic-section'>See Also :</div>
<div class='main-body'>
 
  
  <a href='TopicActione914-2.html?Id=105'>Keep SQL out of code</a> <br>
 
  
  <a href='TopicAction85b1-2.html?Id=217'>Beware of common hacks</a> <br>
 
</div>


<div class='topic-section'>Would you use this technique?</div>
<div class='main-body'>
  
  <form action="http://www.javapractices.com/vote/AddVoteAction.do" method='post'>
    Yes<input type='radio' name='Choice' value='Y' >
    &nbsp;&nbsp;No<input type='radio' name='Choice' value='N'>
    &nbsp;&nbsp;Undecided<input type='radio' name='Choice' value="?" >
    &nbsp;&nbsp;<input type=submit value="Vote" >
    <input type='hidden' name='Operation' value='Apply'>
    <input type='hidden' name='TopicId' value='212'>
  </form>
</div>

<div style='height:10.0em;'></div>

 
 
</div>

  

 





<div align='center' class='legalese'>  
&copy; 2011 Hirondelle Systems |
<a href='../source/SourceAction-2.html'><b>Source Code</b></a><IMG class='no-margin' SRC="../images/goldstar.gif" ALT=""> |
<a href="mailto:webmaster@javapractices.com">Contact</a> |
<a href="http://creativecommons.org/licenses/by-nc-sa/1.0/">License</a> |
<a href='../apps/cjp.rss'>RSS</a>
<!-- ukey="2AC36CD2" -->
<!-- ckey="16DF3D87" -->
<br>

 Individual code snippets can be used under this <a href='../LICENSE.txt'>BSD license</a> - Last updated on June 6, 2010.<br>
 Over 150,000 unique IPs last month - <span title='Java Practices 2.6.5, Mon May 16 00:00:00 EDT 2011'>Built with</span> <a href='http://www.web4j.com/'>WEB4J</a>.<br>
 - In Memoriam : Bill Dirani -
</div>

<script src="../../www.google-analytics.com/urchin.js" type="text/javascript">
</script>
<script type="text/javascript">
_uacct = "UA-2633428-1";
urchinTracker();
</script>



</body>

<!-- Mirrored from www.javapractices.com/topic/TopicAction.do;jsessionid=4FCCB481C702D708A7360133D128E359?Id=212 by HTTrack Website Copier/3.x [XR&CO'2010], Sun, 12 Jun 2011 17:27:28 GMT -->
<!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8"><!-- /Added by HTTrack -->
</html>
